Interlude: Balancing defense and investigation

When I first read the Internet Storm Center post revealing the malware program and IP addresses of the QuantumFilament group, I was concerned. This research depends on the QF group’s continued activities, and I was concerned that such a public disclosure would cause the cyber operators to modify or suspend their activities. As it happened, two times over the next week the servers used by QF were shut down, and both times QF migrated to use different IP addresses.

There are pros and cons to disclosing information about an ongoing cyber operation.

Pros to disclosure

Provides technical information to system administrators, who can use the information to prevent or detect attacks against their systems.

Educates the professional cyber community on offensive tactics and techniques.

Creates the possibility for disperate investigators tracking the same threat group to communicate and collaborate.

Makes the cyber threat group work harder, as they have to spend time changing their programs, behavior or network addresses.

Cons to disclosure

Puts future investigation at risk, because disclosure puts the threat group on notice they are being monitored. The cyber threat group could modify their methods and operations to make future investigation more difficult and costly. Generally any setbacks–and disclosure is a setback–makes the cyber threat group smarter. Smarter bad guys are harder to investigate and catch.

Disclosure often does not protect average Internet users. Shutting down compromised servers is usually just a brief inconvenience, because most professional cyber groups have a practically unlimited supply of systems and IP addresses they can break into, and use to initiate their operations.

Most professional cyber operations have one of two goals: to steal money or to steal information. Relative to the physical world,, stealing money or information in cyberspace has a few distinct advantages:

First, the landscape of cyberspace is truly flat. I can just as easily cause trouble around the block as I can cause trouble halfway around the world.

Second, the cyber universe is not just flat, but fast too. All computers and devices on the planet that are connected to the Internet can be reached within seconds.

Third, its far easier to be anonymous in cyberspace. At minimum it requires some paperwork (through a subpoena) to link a cyber identity to a real world identity. If a person takes steps to mask his cyber identity, it can take a lot more work than that to find his physical identity.

And fourth, there is no one unified set of laws, let alone people to enforce these laws, in cyberspace. If I find that computers in China and Bangladesh are stealing my company’s information, I may have a hard time finding the authority and expertise, along with the language expertise and political will, to investigate the case.

Basically if someone is bent on doing bad in cyberspace, he or she can do it quickly, do it to a lot more people at once, and do it anonymously. Stealing money and stealing information over the Internet is actually easy, especially if one doesn’t have a specific target in mind. Given this, there are a lot more criminals and professionals doing bad, than there are professionals and investigators investigating. For most researchers, who have no legal authorities, public disclosure of what they observe is often the only action they can take.

The Internet Storm Center disclosure ended up giving me, the investigator, a unique look at QF’s reaction to a setback, namely the disclosure and elimination of two of the five IP addresses programmed into the loader binary version 14. In the next chapter, I will use this and other behavior to sketch a profile of this group.